document-ingestion Security Report — Low Risk | ClawSafe

10 /100

document-ingestion

Process raw accounting source documents (PDFs, CSVs, bank statements, invoices, receipts) into standardized transaction records for QBO import.

A well-documented accounting document ingestion skill with no implementation scripts present. All declared functionality (PDF/CSV processing, QBO export, Excel output) is legitimate and standard for financial workflows.

Skill Namedocument-ingestion

Duration34.5s

Enginepi

✓

Safe to install

Package is safe to use. However, no implementation scripts exist — only SKILL.md documentation is included. Ensure the implementation script (scripts/pipelines/document-ingestion.py) is delivered alongside this skill before deployment.

Findings 1 items

Severity	Finding	Location
Low	No implementation script included in package Doc Mismatch SKILL.md references scripts/pipelines/document-ingestion.py as the implementation, but no script files are included in the package. This prevents verification of doc-to-code alignment. `scripts/pipelines/document-ingestion.py` → Ensure the implementation script is packaged alongside SKILL.md before deployment so that a full code review can be performed.	`SKILL.md:65`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md: Reads input documents (PDF, CSV, images) from user-provided paths
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: Writes Excel workbook + QBO CSV to --out directory
Network	`READ`	`READ`	✓ Aligned	SKILL.md: Pulls Chart of Accounts from QBO API only when --no-qbo-coa is not set
Shell	`NONE`	`NONE`	—	No shell execution declared or implied in SKILL.md
Environment	`NONE`	`NONE`	—	No environment variable access declared; QBO auth handled via token config
Browser	`NONE`	`NONE`	—	Not referenced in SKILL.md
Database	`NONE`	`NONE`	—	No database access declared or implied
Clipboard	`NONE`	`NONE`	—	Not referenced in SKILL.md

File Tree

1 files · 8.8 KB · 257 lines

Markdown 1f · 257L

└─ 📝 SKILL.md Markdown 257L · 8.8 KB

Security Positives

✓ Comprehensive documentation with clear scope boundaries (explicitly excludes reconciliation, P&L, AR collections)

✓ Financial calculations use Python Decimal with ROUND_HALF_UP to 2 decimal places — no floating-point arithmetic risks

✓ Duplicate detection logic is well-defined with explicit ±3 day window and matching criteria

✓ No credential harvesting or environment variable exfiltration referenced

✓ No obfuscation, base64, or anti-analysis patterns present in documentation

✓ QBO API integration is scoped to read-only Chart of Accounts pull — no write-back to QBO without user action

✓ CDC cache stores only delta metrics (counts and statistics) — no raw financial data exfiltration

✓ Standard, well-known Python packages only (openpyxl, pdfminer.six, ofxparse)

✓ MIT license clearly declared

Scan Report

Findings 1 items

File Tree

Security Positives